Re: [HTCondor-users] condor 8.x and authentication woes

["Bockelman, Brian" <BBockelman@xxxxxxxxxxxxx>]

> On Jul 1, 2019, at 9:15 PM, Keith Brown <keith6014@xxxxxxxxx> wrote:
> 
> Hi.
> 
> I went with SSL because its a standard protocol used in HTTPs. Didn't
> think it was this hard.
> 

Ah - on the server-side, yes.  Have you ever setup client X509 auth though with a private CA?  Not particularly fun....

> Here is my setup, BTW
> SEC_DAEMON_AUTHENTICATION = REQUIRED
> SEC_DAEMON_AUTHENTICATION_METHODS = SSL

Ah - both the client and server must have the same protocol enabled (from the error message below, it appears there was no mutually agreed-upon protocol).  You have set the protocol for "DAEMON" (on the server) but not at the client.

At least the first step to configuring is this:

SEC_CLIENT_AUTHENTICATION_METHODS = SSL

When the startd is advertising to the collector, for example, the startd refers to the "client" list and the the collector uses the "daemon" authentication list.

(NOTE: adding "D_SECURITY,D_FULLDEBUG" to the daemon's logging configuration often helps with the debugging security problems.)

> 
> 
> AUTH_SSL_CLIENT_CAFILE = /var/lib/condor/cndrsrvc.crt
> AUTH_SSL_CLIENT_CERTFILE = /var/lib/condor/cndrsrvc.crt
> AUTH_SSL_CLIENT_KEYFILE = /var/lib/condor/cndrsrvc.key
> AUTH_SSL_SERVER_CAFILE = /var/lib/condor/cndrsrvc.crt
> AUTH_SSL_SERVER_CERTFILE = /var/lib/condor/cndrsrvc.crt
> AUTH_SSL_SERVER_KEYFILE = /var/lib/condor/cndrsrvc.key
> CERTIFICATE_MAPFILE = /var/lib/condor/map
> 
> The map file is simple
> SSL "/C=US/ST=MI/L=Madison/O=University of Wisconsin
> --Madison/O=Computer Sciences Department/OU=HTCondor
> Project/CN=Serviceâ condor
> 
> I am hoping the map file is the issue. I am open to troubleshooting this.
> 
> But, for now I like the password option.
> 

Yup - honestly, we can probably figure out the SSL setup but PASSWORD seems more appropriate here.

Brian